Nmap Announce mailing list archives

Re: Scanning hosts connecting to a linuxbox.

From: Kevin Littlejohn <darius () connect com au>
Date: Sat, 13 Feb 1999 07:41:27 +1100

A warning for people planning on doing this:  Please please please only
fire off counter-attacks in situations where you have a tcp connection
(ie completed handshake) between you and the remote host - or in preference,
don't fire the damned thing off in the first place.

It's firstly far too easy to scan from a spoofed address, and trigger your
machine into attacking an innocent host (at which point you get hauled up
in front of the firing squad ;), and secondly a huge number of scans/attacks
come from compromised third party machines - you're usually going to be
attacking a machine the cracker considers expendable (after all, whose
going to do something as noisy as a scan from a valuable machine?)

Automate dropping yourself an email, sure.  Automate dropping the remote
admin an email, yeah, that's reasonable - if nothing else it'll put the
fear of god into any cracker watching the admin mailbox on that machine.
Automated scans and attacks are way easily abused by third parties...

KevinL
(on behalf of harassed admins everywhere *grin*)

Rasmus Andersson wrote

Interesting thought. I don't want to hack the kernel, so how about
letting ipfwadm log to syslog facility (with -o ) and just watch the
logs (to "kern" facility) with a Perl script or whatever? A log entry
looks like this:

Jan 19 18:11:49 idefix kernel: IP fw-in rej eth0 UDP 23.4.5.23:4924
123.4.5.6:2049 L=112 S=0x00 I=30795 F=0x0000 T=128

So we might cut out the source address, check if it's worth scanning
(i.e. not an RFC 1918 or localhost or something, and not one of our
friends) and just hit it. Thanks for giving me the idea. Also, if he is
obviously a very bad guy (checking for netbus or something) we could
fire off Patriot missiles on him :-)

The watcher script could set some environment variables (source address,
destination port etc.) and call another script where we do the nmap
scans and whatever we want. A check should be done so not doing it twice
on the same target within a given time.

Ouch... there goes my weekend :)

/Rasmus

Current thread:

Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
  - Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
    - Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
    - Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
    - Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
    - Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Philip Ehrens (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Taral (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Kevin Littlejohn (Feb 12)
  - RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- Re: Scanning hosts connecting to a linuxbox. johnny (Feb 13)
- <Possible follow-ups>
- RE: Scanning hosts connecting to a linuxbox. Brown, Mark (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Chris St. Clair (Feb 15)
  - Re: Scanning hosts connecting to a linuxbox. Bryan Seitz (Feb 15)